Notorious Cybergang registers over 500,000 domains for malware campaigns
Researchers at security vendor, Infoblox have warned that a cybercriminal gang known as Revolver Rabbit has registered more than 500,000 domain names to launch infostealer campaigns targeting Windows and macOS systems.
This unprecedented scale of operations is enabled by registered domain generation algorithms (RDGAs), an automated method allowing the registration of multiple domain names almost instantaneously.
RDGAs are akin to domain generation algorithms (DGAs) used in malware to create potential destinations for command and control (C2) communications. However, while DGAs are embedded in malware and only some generated domains are registered, RDGAs remain with the threat actor, and all domains are registered. This distinction makes it significantly harder for researchers to detect and counteract the threat.
Revolver Rabbit's Extensive Domain Network
Infoblox researchers discovered that Revolver Rabbit utilizes RDGAs to acquire hundreds of thousands of domains, with a total investment of over $1 million in registration fees. The gang primarily operates .BOND top-level domains (TLDs) to create both decoy and live C2 servers for distributing the XLoader malware, an info-stealer that succeeded the notorious Formbook malware. XLoader variants target both Windows and macOS systems to harvest sensitive information and execute malicious files.
Renée Burton, VP of Threat Intelligence at Infoblox, revealed that Revolver Rabbit has registered more than 700,000 domains across various TLDs, with .BOND domains being the most visible. Each .BOND domain costs around $2, highlighting the substantial financial investment in their malicious operations.
"The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash," Infoblox reported.
Examples of such domains include:
Usa-online-degree-29o[.]bond
Bra-portable-air-conditioner-9o[.]bond
Uk-river-cruises-8n[.]bond
Ai-courses-17621[.]bond
App-software-development-training-52686[.]bond
Assisted-living-11607[.]bond
Online-jobs-42681[.]bond
Perfumes-76753[.]bond
Security-surveillance-cameras-42345[.]bond
yoga-classes-35904[.]bond
These domains are typically easy to read and focus on specific topics or regions.
Infoblox has been monitoring Revolver Rabbit for nearly a year, but the use of RDGAs masked the gang's true objectives until recently. The connection between Revolver Rabbit's RDGA usage and the XLoader malware was only made after months of diligent tracking, underscoring the importance of understanding RDGAs as a sophisticated tool in the cybercriminal’s arsenal.
Previous campaigns from this adversary had been observed, but none were linked to an operation as large as the one Infoblox uncovered. For instance, Security Joes, an incident response firm, analyzed a Formbook infostealer sample with more than 60 decoy C2 servers. Only one domain in the .BOND TLD was identified as genuine, illustrating the complexity and deceptive nature of Revolver Rabbit’s operations.
The discovery of Revolver Rabbit's extensive use of RDGAs highlights the evolving tactics of cybercriminals and the challenges faced by security researchers in combating such sophisticated threats.